RELEASE NOTES: JDK openjdk8u432

Notes generated: Thu Jan 02 09:26:57 CET 2025

JEPs

None.

RELEASE NOTES

core-libs/javax.naming

Issue Description

Issue	Description
JDK-8290367	Update Default Value and Extend the Scope of com.sun.jndi.ldap.object.trustSerialData System Property In this release, the JDK implementation of the LDAP provider no longer supports deserialization of Java objects by default: The default value of the `com.sun.jndi.ldap.object.trustSerialData` system property has been updated to `false`. The scope of the `com.sun.jndi.ldap.object.trustSerialData` system property has been extended to cover the reconstruction of RMI remote objects from the `javaRemoteLocation` LDAP attribute. The transparent deserialization of Java objects from an LDAP context will now require an explicit opt-in. Applications that rely on reconstruction of Java objects or RMI stubs from the LDAP attributes would need to set the `com.sun.jndi.ldap.object.trustSerialData` system property to `true`.

Update Default Value and Extend the Scope of com.sun.jndi.ldap.object.trustSerialData System Property

In this release, the JDK implementation of the LDAP provider no longer supports deserialization of Java objects by default:

The default value of the com.sun.jndi.ldap.object.trustSerialData system property has been updated to false.
The scope of the com.sun.jndi.ldap.object.trustSerialData system property has been extended to cover the reconstruction of RMI remote objects from the javaRemoteLocation LDAP attribute.

The transparent deserialization of Java objects from an LDAP context will now require an explicit opt-in. Applications that rely on reconstruction of Java objects or RMI stubs from the LDAP attributes would need to set the com.sun.jndi.ldap.object.trustSerialData system property to true.

core-libs/java.util.jar

Issue Description

Issue	Description
JDK-8193682	Default JDK Compressor Will Be Closed when IOException Is Encountered `DeflaterOutputStream.close()` and `GZIPOutputStream.finish()` methods have been modified to close out the associated default JDK compressor before propagating a Throwable up the stack. `ZIPOutputStream.closeEntry()` method has been modified to close out the associated default JDK compressor before propagating an IOException, not of type ZipException, up the stack.

JDK-8193682

Default JDK Compressor Will Be Closed when IOException Is Encountered

DeflaterOutputStream.close() and GZIPOutputStream.finish() methods have been modified to close out the associated default JDK compressor before propagating a Throwable up the stack. ZIPOutputStream.closeEntry() method has been modified to close out the associated default JDK compressor before propagating an IOException, not of type ZipException, up the stack.

security-libs/javax.net.ssl

Issue Description

JDK-8279164

Disabled TLS_ECDH Cipher Suites

The TLSECDH cipher suites have been disabled by default, by adding "ECDH" to the jdk.tls.disabledAlgorithms security property in the java.security configuration file. The TLSECDH cipher suites do not preserve forward-secrecy and are rarely used in practice. Note that some TLSECDH cipher suites were already disabled because they use algorithms that are disabled, such as 3DES and RC4. This action disables the rest. Any attempts to use cipher suites starting with "TLSECDH_" will fail with an SSLHandshakeException. Users can, at their own risk, re-enable these cipher suites by removing "ECDH" from the jdk.tls.disabledAlgorithms security property.

Please note that this change has no effect on the TLS_ECDHE cipher suites, which are still enabled by default.

JDK-8337664

Distrust TLS Server Certificates Anchored by Entrust Root Certificates and Issued After Nov 11, 2024

The JDK will stop trusting TLS server certificates issued after November 11, 2024 and anchored by Entrust root certificates, in line with similar plans recently announced by Google and Mozilla. The list of affected certificates includes certificates branded as AffirmTrust, which are managed by Entrust.

TLS server certificates issued on or before November 11, 2024 will continue to be trusted until they expire. Certificates issued after that date, and anchored by any of the Certificate Authorities in the table below, will be rejected.

The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after November 11, 2024.

An application will receive an Exception with a message indicating the trust anchor is not trusted, for example:

` TLS server certificate issued after 2024-11-11 and anchored by a distrusted legacy Entrust root CA: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net`

If necessary, and at your own risk, you can work around the restrictions by removing "ENTRUST_TLS" from the jdk.security.caDistrustPolicies security property in the java.security configuration file.

The restrictions are imposed on the following Entrust Root certificates included in the JDK:

Root Certificates distrusted after 2024-11-11
Distinguished Name	SHA-256 Fingerprint
CN=Entrust Root Certification Authority, OU=(c) 2006 Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, O=Entrust, Inc., C=US	73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C
CN=Entrust Root Certification Authority - EC1, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US	02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5
CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US	43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39
CN=Entrust Root Certification Authority - G4, OU=(c) 2015 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US	DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88
CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net	6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77
CN=AffirmTrust Commercial, O=AffirmTrust, C=US	03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7
CN=AffirmTrust Networking, O=AffirmTrust, C=US	0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B
CN=AffirmTrust Premium, O=AffirmTrust, C=US	70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A
CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US	BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23

You can also use the keytool utility from the JDK to print out details of the certificate chain, as follows:

keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>

If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server.

JDK-8341059

Distrust TLS Server Certificates Anchored by Entrust Root Certificates and Issued After Nov 11, 2024

An application will receive an Exception with a message indicating the trust anchor is not trusted, for example:

The restrictions are imposed on the following Entrust Root certificates included in the JDK:

Root Certificates distrusted after 2024-11-11
Distinguished Name	SHA-256 Fingerprint
CN=Entrust Root Certification Authority, OU=(c) 2006 Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, O=Entrust, Inc., C=US	73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C
CN=Entrust Root Certification Authority - EC1, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US	02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5
CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US	43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39
CN=Entrust Root Certification Authority - G4, OU=(c) 2015 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US	DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88
CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net	6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77
CN=AffirmTrust Commercial, O=AffirmTrust, C=US	03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7
CN=AffirmTrust Networking, O=AffirmTrust, C=US	0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B
CN=AffirmTrust Premium, O=AffirmTrust, C=US	70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A
CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US	BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23

You can also use the keytool utility from the JDK to print out details of the certificate chain, as follows:

keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>

security-libs/java.security

Issue	Description
JDK-8341057	Added SSL.com TLS Root CA Certificates Issued in 2022 The following root certificates have been added to the cacerts truststore: ``` + SSL.com + ssltlsrootecc2022 DN: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US SSL.com ssltlsrootrsa2022 DN: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US ```

Issue

Description

JDK-8341057

Added SSL.com TLS Root CA Certificates Issued in 2022

The following root certificates have been added to the cacerts truststore: ``` + SSL.com + ssltlsrootecc2022 DN: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US

SSL.com
ssltlsrootrsa2022 DN: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US ```

FIXED ISSUES

client-libs

Priority	Bug	Summary
P3	JDK-8298887	On the latest macOS+XCode the Robot API may report wrong colors

client-libs/2d

Priority	Bug	Summary
P3	JDK-8318951	Additional negative value check in JPEG decoding
P3	JDK-8311666	Disabled tests in test/jdk/sun/java2d/marlin
P4	JDK-8337312	[8u] Windows x86 VS2010 build broken by JDK-8320097

client-libs/java.awt

Priority	Bug	Summary
P4	JDK-6544871	java/awt/event/KeyEvent/KeyTyped/CtrlASCII.html fails from jdk b09 on windows.

client-libs/javax.sound

Priority	Bug	Summary
P4	JDK-8266248	Compilation failure in PLATFORM_API_MacOSX_MidiUtils.c with Xcode 12.5
P4	JDK-7188098	TEST_BUG: closed/javax/sound/midi/Synthesizer/Receiver/bug6186488.java fails

client-libs/javax.swing

Priority	Bug	Summary
P3	JDK-8327007	javax/swing/JSpinner/8008657/bug8008657.java fails
P4	JDK-8264328	Broken license in javax/swing/JComboBox/8072767/bug8072767.java
P4	JDK-8221903	PIT: javax/swing/RepaintManager/IconifyTest/IconifyTest.java fails on ubuntu18.04

core-libs

Priority	Bug	Summary
P4	JDK-8326351	Update the Zlib version in open/src/java.base/share/legal/zlib.md to 1.3.1

core-libs/java.net

Priority	Bug	Summary
P4	JDK-8238274	(sctp) JDK-7118373 is not fixed for SctpChannel

core-libs/java.nio

Priority	Bug	Summary
P4	JDK-8030795	java/nio/file/Files/probeContentType/ForceLoad.java failing with ServiceConfigurationError without jtreg -agentvm option

core-libs/java.util

Priority	Bug	Summary
P2	JDK-8284771	java/util/zip/CloseInflaterDeflaterTest.java failed with "AssertionError: Expected IOException to be thrown, but nothing was thrown"
P4	JDK-8335894	[8u] Fix SupplementalJapaneseEraTest.java for jdks with symlinked conf dir
P4	JDK-8299677	Formatter.format might take a long time to format an integer or floating-point

core-libs/java.util.jar

Priority	Bug	Summary
P4	JDK-8278794	Infinite loop in DeflaterOutputStream.finish()
P4	JDK-8193682	Infinite loop in ZipOutputStream.close()
P4	JDK-8315117	Update Zlib Data Compression Library to Version 1.3
P4	JDK-8324632	Update Zlib Data Compression Library to Version 1.3.1

core-libs/java.util:i18n

Priority	Bug	Summary
P3	JDK-8305400	ISO 4217 Amendment 175 Update
P3	JDK-8321480	ISO 4217 Amendment 176 Update
P3	JDK-8334653	ISO 4217 Amendment 177 Update

core-libs/javax.naming

Priority	Bug	Summary
P3	JDK-8196770	Add JNDI test com/sun/jndi/ldap/blits/AddTests/AddNewEntry.java
P3	JDK-8290367	Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property
P4	JDK-8251188	Update LDAP tests not to use wildcard addresses

core-svc/debugger

Priority	Bug	Summary
P4	JDK-8030204	com/sun/jdi/JdbExprTest.sh: Required output "Can\\'t convert 2147483648 to int" not found
P4	JDK-4660158	TTY: NumberFormatException while trying to set values by 'set' command

core-svc/javax.management

Priority	Bug	Summary
P3	JDK-8145919	sun/management/jmxremote/bootstrap/RmiSslBootstrapTest failed with Connection failed for no credentials
P4	JDK-8335851	[8u] Test JMXStartStopTest.java fails after JDK-8334415
P4	JDK-8035395	sun/management/jmxremote/startstop/JMXStartStopTest.java fails intermittently: Port already in use

hotspot/compiler

Priority	Bug	Summary
P3	JDK-8313626	C2 crash due to unexpected exception control flow
P3	JDK-8021775	compiler/8009761/Test8009761.java "Failed: init recursive calls: 51. After deopt 50"
P4	JDK-8233364	Fix undefined behavior in Canonicalizer::do_ShiftOp

hotspot/gc

Priority	Bug	Summary
P3	JDK-8316328	Test jdk/jfr/event/oldobject/TestSanityDefault.java times out for some heap sizes

hotspot/jfr

Priority	Bug	Summary
P4	JDK-8305931	jdk/jfr/jcmd/TestJcmdDumpPathToGCRoots.java failed with "Expected chains but found none"
P4	JDK-8326521	JFR: CompilerPhase event test fails on windows 32 bit
P4	JDK-8326529	JFR: Test for CompilerCompile events fails due to time out

hotspot/runtime

Priority	Bug	Summary
P4	JDK-8309138	Fix container tests for jdks with symlinked conf dir
P4	JDK-8152207	Perform array bound checks while getting a length of bytecode instructions

hotspot/test

Priority	Bug	Summary
P4	JDK-8337110	[8u] TestNoEagerReclaimOfHumongousRegions.java should be in gc/g1 directory

infrastructure/build

Priority	Bug	Summary
P4	JDK-8333669	[8u] GHA: Dead VS2010 download link
P4	JDK-8331730	[8u] GHA: update sysroot for cross builds to Debian bullseye
P4	JDK-8315863	[GHA] Update checkout action to use v4
P4	JDK-8137329	[windows] Build broken on VS2010 after "8046148: JEP 158: Unified JVM Logging"
P4	JDK-8075511	Enable -Woverloaded-virtual C++ warning for HotSpot build
P4	JDK-8281096	Flags introduced by configure script are not passed to ADLC build
P4	JDK-8318039	GHA: Bump macOS and Xcode versions
P4	JDK-8336928	GHA: Bundle artifacts removal broken
P4	JDK-8324723	GHA: Upgrade some actions to avoid deprecated Node 16

infrastructure/licensing

Priority	Bug	Summary
P4	JDK-8338144	[8u] Remove duplicate license files

infrastructure/release_eng

Priority	Bug	Summary
P4	JDK-8333126	Bump update version of OpenJDK: 8u432

security-libs/java.security

Priority	Bug	Summary
P2	JDK-8341057	Add 2 SSL.com TLS roots

security-libs/javax.net.ssl

Priority	Bug	Summary
P2	JDK-8341059	Change Entrust TLS distrust date to November 12, 2024
P3	JDK-8279164	Disable TLS_ECDH_* cipher suites
P3	JDK-8337664	Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs

tools

Priority	Bug	Summary
P4	JDK-8320964	sun/tools/native2ascii/Native2AsciiTests.sh fails on Japanese